Researchers crack smartphone PINs by gleaning phone’s own sensors.
Researchers crack smartphone PINs by gleaning phone’s own sensors.

Researchers from Nanyang Technological University in Singapore developed a technique to leverage a phones sensors to guess a user's PIN code.

Using a custom application, the researchers used a combination of information gathered from six different sensors found in smart phones to machine learning and deep learning algorithms to unlock a user's phone with a 99.5 percent accuracy rate within only three tries if a user has one of the 50 most commonly used PINs, according to a recent report.

Researchers were able to classify all 10,000 PIN combinations with up to an 83.7 percent success rate within 20 tries in a single user setting which is still an impressive feat, given that the previous phone-cracking record using the most common 50 PIN combinations was a success rate of 74 percent, the report said.

The app leverages the phones accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.  The sensors were described as “zero-permission sensors” as they currently require no user approval for apps to access its data.

The information gleaned from the sensors is then matched to data collected from three test subjects who each entered a random set of 70 four-digit PIN numbers on a phone. Although the sample size is small, researchers said their algorithm will improve success rates as it monitors more users entering their PINs. Using this method, researchers were able to identify which buttons were pressed based on how the phone was tilted and how much light was blocked by the thumb or fingers.

“When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different,” Dr Shivam Bhasin, NTU Senior Research Scientist said in the press release. “Likewise, pressing 1 with your right thumb will block more light than if you pressed 9.”

Dr. Bhasin recommends mobile operating systems to restrict access to the sensors so that users can actively choose to only give permissions to trusted apps that require access to the sensors. Until this is done, Dr. Bhasin recommends users use PINs with more than four digits coupled with other authentication methods like one-time passwords, two-factor authentications, and fingerprint or facial recognition.

The study highlights how even devices with seemingly strong security can be attack using side channel attacks to spy on user behavior NTU Professor Gan Chee Li said in the release.

 “Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user's behavior,” said Prof Gan. “This has significant privacy implications that both individuals and enterprises should pay urgent attention to.”